Embodiments of the present invention generally relate to handling information related to financial transactions. More specifically, embodiments of the present invention relate to methods and systems for utilizing dynamic cryptograms in a financial transaction.
Today, merchants and service providers accept many forms of payment. Many merchants will accept cash, credit cards, debit cards, stored-value cards, checks, and promotional items such as coupons. Additionally, various forms of wireless or contactless devices have been introduced for use in various types of transactions. For example, contactless transaction initiation is often performed with a “smart” card or other device such as a key fob or a mobile device such as a cell phone or Personal Digital Assistant (PDA) containing a memory and a processor. Such a card or device typically also includes Radio-Frequency IDentification (“RFID”) or Near-Field Communications (NFC) components for contactless communication with a Point-Of-Sale (POS) device. The information stored in the memory of the device and communicated via the RFID or NFC components to the POS device is generally similar or identical to the information recorded on the magnetic stripe of a card, i.e., account number etc. Thus, in some cases, such devices may be utilized instead of more conventional cards.
However, such devices and/or transactions are vulnerable to a number of different types of attacks from identity thieves or other criminals. For example, devices capable of skimming transmissions between the merchant's reader and cards or other devices can be placed near the NFC reader to read the transaction information, including the account number, when a card or device is read at the POS device. In another example, illegal portable readers can be used which, when brought into proximity with a card or other device can read the account information from the card even while it is being carried in a wallet or purse. In yet another example, transactions or transaction information that are transmitted through a payment processor's network or other network may be intercepted and read to obtain account numbers and/or other information.
In an effort to prevent such attacks, encryption is sometimes used to protect the account number on the card or device. Such encryption utilizes an encrypted account number on the card or device or an encryption key that is loaded into the card or device that is derived from an institution level key (i.e., it applies to many cards) and the card number. However, using a common key can lead to a compromise of a large number of cards if the institution's encryption key is exposed. A common defense against this risk is to derive a card level key using the common institution level key and some card level attributes such as the Primary Account Number (PAN), though this technique has exposure risk as well. This key exposure can result from a failure in business processes of the issuer to protect the key or an assault on a single chip, e.g., using electron-microscopy to expose the derived key followed by a DES assault to derive the institution's key. If the institution key is compromised, all transactions for all cards or devices with this institution's key are potentially exposed. Therefore, a new key must be created and a possibly large number of cards re-issued. Hence, there is a need in the art for improved methods and systems for securely handling a financial transaction.